{"id":51193068,"url":"https://github.com/kamb-code/sha256-r19-preimage","last_synced_at":"2026-06-27T17:31:06.828Z","repository":{"id":365763322,"uuid":"1271054450","full_name":"kamb-code/sha256-r19-preimage","owner":"kamb-code","description":"Oracle-free preimage attack on 19-round reduced SHA-256 — paper, solver, and independent verifier","archived":false,"fork":false,"pushed_at":"2026-06-18T19:36:27.000Z","size":1524,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-18T20:19:45.325Z","etag":null,"topics":["cryptanalysis","cryptography","cuda","gpu","hash-functions","preimage-attack","security-research","sha256"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kamb-code.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-16T09:39:57.000Z","updated_at":"2026-06-18T19:36:32.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/kamb-code/sha256-r19-preimage","commit_stats":null,"previous_names":["kamb-code/sha256-r19-preimage"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/kamb-code/sha256-r19-preimage","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kamb-code%2Fsha256-r19-preimage","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kamb-code%2Fsha256-r19-preimage/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kamb-code%2Fsha256-r19-preimage/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kamb-code%2Fsha256-r19-preimage/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kamb-code","download_url":"https://codeload.github.com/kamb-code/sha256-r19-preimage/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kamb-code%2Fsha256-r19-preimage/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34862627,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-27T02:00:06.362Z","response_time":126,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptanalysis","cryptography","cuda","gpu","hash-functions","preimage-attack","security-research","sha256"],"created_at":"2026-06-27T17:31:03.674Z","updated_at":"2026-06-27T17:31:06.557Z","avatar_url":"https://github.com/kamb-code.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Oracle-Free 19-Round SHA-256 Preimage — Reproducibility Package\n\nThis folder contains everything needed to verify and reproduce the results in:\n\n\u003e **\"Oracle-Free Preimage Attack on 19-Round Reduced SHA-256\"**\n\u003e `paper_r19_final.pdf` / `paper_r19_final.tex`\n\n---\n\n## What is claimed\n\nAn oracle-free preimage attack on the **19-round reduced SHA-256 compression function**\ninitialized with the standard IV. Given only a 32-byte target hash, the solver\nfinds 16 arbitrary 32-bit message words W[0..15] such that:\n\n```\nSHA256_compress_19(IV, W[0..15]) + IV == target_hash\n```\n\nNo padding constraint is imposed on W[0..15]. This is a claim about the compression\nfunction, not standard padded SHA-256.\n\nThree independently verified preimages are included (`verified_preimages.txt`).\n\n---\n\n## Quick verification (no GPU, no lookup table needed)\n\nRequirements: Python 3.8+, no third-party packages.\n\n```bash\n# Verify P1\npython3 code/verify_r19.py --rounds 19 \\\n --hash 1e65261c54255188604f5375091839733de63e966b5e4715658226bf03588447 \\\n --words \"22f091af ec52d67b 74c33819 a280dc6a b001ff1a 1f2356a5 3eccf108 bd9a2333 \\\n abe611d1 6d1e5a20 8041df25 e43d31af aa895a2e 69106ad2 7479fa3a 2a9abb91\"\n\n# Verify P2\npython3 code/verify_r19.py --rounds 19 \\\n --hash fb52f81baed24f8728faf5bbce82c67d510761172fb9876d9e3a72dda351b7ca \\\n --words \"37e6702f bc20efea 2dd42a3e 501dfbe9 3cacc578 ea2de1c1 11c0f066 0f22be47 \\\n 2a447d2d 13f0080f 1f33df6b d655d8e6 15730eaa 9bf64950 9f129973 5a964edf\"\n\n# Verify P3\npython3 code/verify_r19.py --rounds 19 \\\n --hash 1bd7ebbdc4d938fb26d19b5dd5caf333de397bd1c745727bd5556baf38ccf977 \\\n --words \"3ce8fba4 e2fb9661 44730c59 e1cf4bc0 e1a18d93 97658983 67efe2a7 ef260ecb \\\n d4c6dbe0 13e9388e 95664a59 4d9e248b 74137862 664815ac 89eae95a cd7dbef5\"\n```\n\nAll three should print `result: OK`.\n\nThe verifier (`code/verify_r19.py`) is self-contained and deliberately does not\nimport any attack code.\n\n---\n\n## Running the solver on your own target hash (requires NVIDIA GPU + CUDA)\n\nRequirements: Python 3.10+, NumPy, tqdm, a CUDA-enabled PyTorch build, NVIDIA GPU\n(H100 recommended). A CPU-only PyTorch install will not run the solver.\n\n```bash\npip install numpy tqdm\n# Install PyTorch using the CUDA wheel appropriate for your driver/CUDA setup.\n\n# Attack a specific 19-round target hash of your choice:\npython3 code/h100_extended.py --hash \u003c64-hex-char-hash\u003e\n\n# Example (reproduces P1):\npython3 code/h100_extended.py \\\n --hash 1e65261c54255188604f5375091839733de63e966b5e4715658226bf03588447\n\n# Run with default random targets (benchmark / statistical mode):\npython3 code/h100_extended.py\n\n# Full options:\npython3 code/h100_extended.py --help\n```\n\nThe solver:\n1. Builds the σ₀(u)−u representative table in GPU memory (~16 GB, ~1.8 s on H100).\n2. Runs the backward chain on the target hash to fix the high state words.\n3. Samples random contexts for the free state words a[4..10].\n4. Sweeps a[0] over 2³² values per context using the C0/C1/C2 cancellation chain.\n5. Prints any found preimage to stdout and saves it to a `.txt` file.\n\nNo precomputed table file is required — the table is rebuilt from scratch each run.\nExpected time to first hit on H100: a few minutes to ~15 minutes (stochastic).\n\n**Generate your own target to attack:**\nChoose any 16 input words and run the verifier without `--hash`; it will print\nthe corresponding 19-round target hash. Then pass that hash to the solver.\n\n```bash\npython3 code/verify_r19.py --rounds 19 \\\n --words \"00000000 00000001 00000002 00000003 00000004 00000005 00000006 00000007 \\\n 00000008 00000009 0000000a 0000000b 0000000c 0000000d 0000000e 0000000f\"\n```\n\n---\n\n## Does padding matter? Why W[0..15] are unconstrained here\n\nStandard SHA-256 appends a specific padding to each message before hashing:\na `0x80` byte, then zeros, then the 8-byte message bit-length. For a message\nshorter than 56 bytes, this all fits in one 512-bit block, so several of the\n16 input words are fixed by the padding format.\n\n**This attack does not use standard padding.** W[0..15] are treated as 16\narbitrary 32-bit words — no structure is required. This gives the solver the\nmaximum possible freedom to satisfy the 19-round equations.\n\n**What this means in practice:**\n\n| Scenario | Applies? |\n|---|---|\n| \"Find W[0..15] s.t. 19-round compress(IV,W)+IV = T\" (this paper) | ✅ Yes |\n| \"Find a padded message s.t. standard SHA-256(msg) = T\" (real preimage) | ❌ Not directly |\n\nTo attack a padded message preimage you would need to additionally satisfy\nthe padding constraints (e.g. W[14]=0, W[15]=bit_length, specific 0x80 byte).\nThat reduces the attacker's free variables from 16 to roughly 13–14, and\npropagates constraints into the schedule words (W[16], W[17], ...) that the\nattack depends on. A padded-message variant would require extending the method\nto handle those fixed values — this is not done here and remains an open problem.\n\n**The bottom line:** the method is the same (backward chain + σ₀-differential\ntable + C0/C1/C2 cancellations), but padding constraints would require\nadditional work to accommodate. The security of full 64-round padded SHA-256\nis not affected by this result.\n\n---\n\n## File listing\n\n```\npublish/\n README.md — this file\n paper_r19_final.pdf — compiled paper (21 pages)\n paper_r19_final.tex — LaTeX source\n verified_preimages.txt — the three verified preimage examples\n\n code/ — core reproducibility files:\n verify_r19.py — standalone verifier (no dependencies beyond stdlib)\n h100_extended.py — production GPU solver (PyTorch + CUDA)\n extended_solver.py — backward chain + W recovery utilities\n sha256_core.py — SHA-256 full-trace reference implementation\n utils.py — SHA-256 primitives (ROTR, Σ, σ, Ch, Maj, H0, K)\n\n auxiliary research scripts (not needed to reproduce):\n absorption_analysis.py — multi-block coordinate descent experiments\n alt_differential.py — alternate differential experiments\n angle_analysis.py — differential angle analysis\n block1_coord.py — single-block coordinate descent\n block2_coord.py — two-block coordinate descent\n cuda_sweep.py — CUDA birthday sweep for near-collisions\n deep_search.py — extended birthday search\n differential_trace.py — differential trace logging\n final_results.py — result aggregation\n gpu_sa.py — GPU simulated annealing (experimental)\n near_collision_result.py — near-collision result logging\n schedule_differential.py — schedule differential analysis\n sensitivity_matrix.py — sensitivity matrix computation\n threeblock_coord.py — three-block coordinate descent\n twobit_search.py — two-bit differential search\n twoblock_sweep.py — two-block birthday sweep\n zero_window_lemma.py — zero-window lemma verification\n```\n\nNote: the auxiliary scripts import from `/home/administrator/sha/sha256` (the original\ndevelopment tree) and will not run on a fresh clone. They are included for\ntransparency only — all results claimed in the paper use the five core files above.\n\n---\n\n## Key algebraic identities (see paper §4–§5)\n\n**Lemma 1 (W9 differential).**\nDefine Ŵ₉ = W₉_sched(a₁=0). Then Ŵ₉ − W₉_real = a₁.\n\n**Proposition 1 (C0 cancellation).**\nF₀ = W₁₆_bc − σ₁(W₁₄) − g(a₀) − Ŵ₉ − a₀ − C₀_const = σ₀(W₁) − W₁.\nSo a₁ cancels and the σ₀-differential table recovers W₁, hence a₁ = W₁ − g(a₀).\n\n**Proposition 2 (C1/C2 cancellations).**\nIn C1 the target unknown a₂ cancels; in C2 the target unknown a₃ cancels.\nBoth reduce to σ₀-differential table lookups.\n\nThese three identities together make the full 2³² sweep tractable on a single GPU.\n\n---\n\n## Attack model disclaimer\n\nThis result concerns only the one-block reduced-round SHA-256 **compression function**\n(19 of 64 rounds), initialized with the standard IV and with no padding constraint on\nthe 16 input words. It is **not** a preimage attack on standard padded SHA-256.\n\nThe oracle-free 20-round case remains open (see paper §7).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkamb-code%2Fsha256-r19-preimage","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkamb-code%2Fsha256-r19-preimage","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkamb-code%2Fsha256-r19-preimage/lists"}